|
1 | | -## What’s repeated (and why) |
2 | | - |
3 | | -Yes — you have **the same content twice**, just in two formats: |
4 | | - |
5 | | -- **Markdown section** (starts with `# Configuring Windows Event Log...`) |
6 | | -- **HTML section** (starts with `<div><h1>🖨️ Configuring Windows Event Log...`) |
7 | | - |
8 | | -They repeat the same fields: |
9 | | - |
10 | | -- Title / Synopsis / Description / Author / Version / Notes |
11 | | -- Deployment instructions (steps 1–6) |
12 | | -- Best practices and final notes |
13 | | -- Closing paragraph |
14 | | - |
15 | | -So the “repeatable information” is not small redundancy inside the Markdown; it’s a **full duplication** because both Markdown and HTML versions were included. |
16 | | - |
17 | | ---- |
18 | | - |
19 | | -## Recommended revision: keep ONE format (Markdown) and remove the HTML block |
20 | | - |
21 | | -Below is a cleaned, non-duplicated Markdown-only version (same meaning, tighter wording, and no repeated blocks): |
22 | | - |
23 | | -```markdown |
24 | 1 | # Configuring Windows Event Log for PrintService Operational Log |
25 | 2 |
|
26 | 3 | ## Synopsis |
27 | 4 | Configures Windows Event Log settings for the **Microsoft-Windows-PrintService/Operational** channel. |
28 | 5 |
|
29 | 6 | ## Description |
30 | | -This `.reg` configuration automates key Event Log parameters such as `AutoBackupLogFiles`, `Flags`, log file path (`File`), maximum size (`MaxSize` / `MaxSizeUpper`), and retention (`Retention`) to support reliable PrintService logging. |
| 7 | +This `.reg` configuration automates key Event Log parameters to support reliable PrintService logging, including: |
| 8 | + |
| 9 | +- `AutoBackupLogFiles` |
| 10 | +- `Flags` |
| 11 | +- Log file path (`File`) |
| 12 | +- Maximum size (`MaxSize` / `MaxSizeUpper`) |
| 13 | +- Retention policy (`Retention`) |
31 | 14 |
|
32 | 15 | ## Author |
33 | | -Luiz Hamilton Silva — @brazilianscriptguy |
| 16 | +Luiz Hamilton Silva — `@brazilianscriptguy` |
34 | 17 |
|
35 | 18 | ## Version |
36 | | -Last Updated: November 26, 2024 |
| 19 | +**Last Updated:** 2024-11-26 |
37 | 20 |
|
38 | 21 | ## Notes |
39 | | -- Ensure the target log path (value `File`) exists and is reachable by the system. |
40 | | -- Apply the `.reg` with administrative privileges (or deploy via GPO) to ensure registry changes succeed. |
| 22 | +- Ensure the target log path (registry value `File`) exists and is reachable by the **Local System** context. |
| 23 | +- Apply the `.reg` file with **administrative privileges** (or deploy via **GPO**) to ensure registry changes succeed. |
| 24 | + |
| 25 | +--- |
41 | 26 |
|
42 | 27 | ## Deployment Instructions |
43 | 28 |
|
44 | 29 | ### 1) Save the `.reg` file |
45 | 30 | Save the provided registry content as: |
46 | | -`PrintService-Operacional-EventLogs.reg` |
| 31 | + |
| 32 | +- **Filename:** `PrintService-Operacional-EventLogs.reg` |
47 | 33 |
|
48 | 34 | ### 2) Store it in a shared location |
49 | | -Place the file on a shared path accessible to target machines (read access for the accounts applying the change). |
| 35 | +Place the file on a shared path accessible to target machines (ensure **read access** for the accounts/computers applying the change). |
50 | 36 |
|
51 | 37 | ### 3) Deploy via Group Policy Object (GPO) |
52 | | -1. Open **GPMC** (`gpmc.msc`) |
53 | | -2. Create/edit a GPO linked to the target OU |
54 | | -3. Go to: `Computer Configuration` → `Preferences` → `Windows Settings` → `Registry` |
55 | | -4. Create Registry Items with: |
56 | | - - **Action:** Update |
57 | | - - **Hive:** `HKEY_LOCAL_MACHINE` |
58 | | - - **Key Path:** `SYSTEM\ControlSet001\Services\EventLog\Microsoft-Windows-PrintService/Operational` |
| 38 | +1. Open **Group Policy Management Console (GPMC)**: |
| 39 | + - Press `Win + R`, type `gpmc.msc`, press `Enter`. |
| 40 | +2. Create or edit a GPO linked to the target OU. |
| 41 | +3. Navigate to: |
| 42 | + - `Computer Configuration` → `Preferences` → `Windows Settings` → `Registry` |
| 43 | +4. Create Registry Items with the following settings: |
| 44 | + - **Action:** `Update` |
| 45 | + - **Hive:** `HKEY_LOCAL_MACHINE` |
| 46 | + - **Key Path:** `SYSTEM\ControlSet001\Services\EventLog\Microsoft-Windows-PrintService/Operational` |
59 | 47 | - **Values:** |
60 | | - - `AutoBackupLogFiles` (DWORD) = `1` |
61 | | - - `Flags` (DWORD) = `1` |
62 | | - - `File` (REG_SZ) = `L:\Microsoft-Windows-PrintService-Operational\Microsoft-Windows-PrintService-Operational.evtx` |
63 | | - - `MaxSize` (DWORD) = `09270000` |
64 | | - - `MaxSizeUpper` (DWORD) = `00000000` |
65 | | - - `Retention` (DWORD) = `ffffffff` |
| 48 | + - `AutoBackupLogFiles` (`DWORD`) = `1` |
| 49 | + - `Flags` (`DWORD`) = `1` |
| 50 | + - `File` (`REG_SZ`) = `L:\Microsoft-Windows-PrintService-Operational\Microsoft-Windows-PrintService-Operational.evtx` |
| 51 | + - `MaxSize` (`DWORD`) = `09270000` |
| 52 | + - `MaxSizeUpper` (`DWORD`) = `00000000` |
| 53 | + - `Retention` (`DWORD`) = `ffffffff` |
66 | 54 |
|
67 | 55 | ### 4) Force policy update |
| 56 | +Run: |
| 57 | + |
68 | 58 | ```powershell |
69 | 59 | gpupdate /force |
70 | 60 | ``` |
71 | | -(or reboot) |
72 | 61 |
|
73 | | -### 5) Verify registry |
74 | | -Check: |
| 62 | +Or reboot the machine to apply the GPO at startup. |
| 63 | + |
| 64 | +### 5) Verify registry changes |
| 65 | +Confirm the values exist at: |
| 66 | + |
75 | 67 | `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Microsoft-Windows-PrintService/Operational` |
76 | 68 |
|
77 | 69 | ### 6) Monitor logs |
78 | | -Confirm the `.evtx` is being created/updated at: |
79 | | -`L:\Microsoft-Windows-PrintService-Operational\` |
| 70 | +Confirm the `.evtx` log file is being created/updated at: |
80 | 71 |
|
81 | | -## Best Practices |
82 | | -- Backup registry / test on a single machine first. |
83 | | -- Validate that `L:` is consistently available on all endpoints (mapping/permissions). |
84 | | -- Secure the log storage location against tampering. |
85 | | -``` |
| 72 | +`L:\Microsoft-Windows-PrintService-Operational\` |
86 | 73 |
|
87 | 74 | --- |
88 | 75 |
|
89 | | -## One important consistency note (optional but recommended) |
90 | | -Your key path alternates between: |
91 | | - |
92 | | -- `Microsoft-Windows-PrintService/Operational` (with `/`) |
93 | | -- `Microsoft-Windows-PrintService\Operational` (with `\`) |
94 | | - |
95 | | -In Windows Registry paths, it’s typically shown with backslashes. If you want maximum clarity, standardize the documentation to **one** form (I’d use `Microsoft-Windows-PrintService/Operational` only when referring to the *Event Log channel name*, and `...\Microsoft-Windows-PrintService\Operational` when referring to the *registry key path*). |
96 | | - |
97 | | -If you tell me which one your `.reg` actually uses, I’ll align the text precisely to match it. |
| 76 | +## Best Practices |
| 77 | +- Backup the registry and test on a single machine before wide deployment. |
| 78 | +- Validate that `L:` is consistently available on all endpoints (mapping, permissions, connectivity). |
| 79 | +- Secure the log storage location to prevent tampering (ACLs, monitoring, write restrictions). |
0 commit comments